BACK_TO_OVERVIEW

The technical platform behind managed Linux at scale

Cybex combines an open device agent, reusable blueprints, policy inheritance and controlled rollouts to make Linux desktops manageable across schools, governments and companies.

Declarative
NixOS-based
Open agent
inspectable · signed
Auditable
who · what · when
01ARCHITECTURE_OVERVIEW

How the pieces fit together.

A central management system talks to a signed agent on every device. Policies and blueprints describe the desired state; the agent reconciles to it and reports back; every change lands in the audit trail.

POLICIES
Layered intent: base, site, blueprint, override.
BLUEPRINTS
Versioned, reusable device recipes.
AUDIT_TRAIL
Every change: who, what, when, where.
Cybex Management System
Device agent
Runs on each device. Reconciles state, reports facts. Open source.
Managed Linux devices
Desktops & laptops in their declared, reproducible state.
Check-ins
Heartbeats carry status, drift and hardware facts back up.
manage.cybex.net / dashboard LIVE · 09:41:55
CybexCybex
Dashboard
Enrollments
Devices
Blueprints
Rollouts
Audit log
Dashboard
workspace · digitalpals
ALL_SYSTEMS_NOMINAL
FLEET_CONTROL_HEALTH
99%
220
HEALTHY
2
WARN
0
CRIT
DEVICES
223
PENDING
4
ROLLOUTS
3
NEEDS_ATTENTIONreview →
nx-7a41e0 · recoveredlab-3 · auto-remediatedOK
drift detected · 2 devicessite/rotterdam · reconcilingWARN
RECENT_ACTIVITYview_all →
adopt enrollment · nx-9c12d0just now · avery
publish lab-workstation r121m ago · jordan
advance rollout · stage 24m ago · system
02OPEN_AGENT

An agent you can read.

A signed Cybex agent runs on each managed device. It is open source, so security teams can verify exactly what it collects and what it changes — trust comes from inspection, not promises.

Runs on every deviceReconciles the device to its declared state and reports facts on check-in.
Open sourceRead it, build it, and run your own build if you choose.
Verifiable behaviorInspect exactly what the agent reads, changes and sends upstream.
github.com/CybexHQ
device · cybex-agent status
$ cybex-agent status
agent v0.9.2 · identity nx-7a41e0
channel stable 24.05 · signed
reconcile in sync · drift 0
reports: os · packages · disk · posture
changes: declared state only
last check-in just now
03REFERENCE_DEVICE → BLUEPRINT

From one reference device to the whole fleet.

Configure a reference device or VM, let the agent snapshot the relevant configuration, and Cybex generates or updates a versioned blueprint — reviewable, reusable across groups, and rolled out under control.

01
Configure

Reference device or VM, set up by hand.

02
Snapshot

Agent captures the declarative state.

03
Generate

A versioned blueprint, ready to review.

04
Reuse

Assign to groups of devices.

05
Roll out

Review, then ship in stages.

reference-vm · cybex-agent
$ cybex snapshot --label lab-workstation
→ reading system configuration
→ desktop: gnome · 41 packages
→ users · policies · security posture
→ hashing declarative state
blueprint lab-workstation@r12 ready
publish? y
lab-workstation
blueprint · revision r12
PUBLISHED
DESKTOP
GNOME 46
PACKAGES
41 pinned
CHANNEL
stable 24.05
ASSIGNED
62 devices
snapshotted from reference-vm · 2m ago
04POLICY_MODEL

Four layers of intent, resolved per device.

Policy inherits from the broadest layer to the narrowest. The same model works for schools, companies and governments — only the contents differ. Select a layer to see what it controls.

Base Policy
ALL_DEVICES · ORGANIZATION-WIDE

The organization-wide baseline every device inherits first.

CONTROLS
05STAGED_ROLLOUTS

Ship to the fleet, one stage at a time.

Publish to a pilot group, watch fleet health, then advance — or roll back. Scroll to deploy lab-workstation@r12 across all 223 devices.

STAGE 1 / 3 0% 0 / 223 devices
STAGE_1 · PILOT11
STAGE_2 · EARLY56
STAGE_3 · FULL156
● ready to publish · scroll to deploy
06SECURITY_&_COMPLIANCE

Built so you can prove what's running.

The control plane gives security teams the evidence they need: what's deployed, what changed, and who changed it — without overclaiming certifications Cybex doesn't hold.

Device inventory

A live record of every managed device, its hardware and its kernel.

Configuration state

The exact declared state of each device — and any drift from it.

Update visibility

See which revision each device runs and what an update will change.

Audit logs

Every change is attributable: who, what, when, and which policy layer.

Controlled changes

Changes ship as reviewable, staged rollouts — never silent, never all at once.

Least privilege

Role-based access where it applies, so operators only touch what they should.

07HOSTING_&_RESIDENCY

European hosting, fully managed.

Cybex Cloud is a fully managed service, run for you in European datacenters — there's no software for you to host, patch or operate. And standardizing on open Linux means no proprietary-OS lock-in.

Fully managed

Cybex runs the control plane for you — nothing to install, patch or maintain yourself.

European operation

A European company, operated under European rules.

EU data residency

Your configuration, packages and audit trail are stored and processed inside the EU.

No OS lock-in

Standardize on open Linux instead of a proprietary platform.

08SUPPORTED_PLATFORMS

Linux first. Honest about the rest.

Cybex focuses on doing Linux device management properly before spreading thin. Here's what's available today and where it's heading.

Linux / NixOS
AVAILABLE

Desktops and laptops, built declarative-first on NixOS — the initial focus and where Cybex is most capable today.

Chromebooks
FUTURE DIRECTION

Chromebook support is a possible future direction, not a commitment for today. We won't promise a platform before it's real.

Ready to explore a managed path to Linux?

Talk to us about your migration, or read the open agent and see exactly how it works.